Asuswrt-Merlin Port 80 DNAT's

[garycnew]

All:

I've run into an issue where I'm trying to run a web service on the Asuswrt-Merlin br0 Dynamic IP Address, but it appears that there are Port 80 DNAT's that already exist.

# iptables -t nat -S | grep 80
-A VSERVER -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.1:62299
-A VSERVER -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.1:46326

Does anyone else have similar Port 80 DNAT's? If so, do you know the purpose of them?

Presently, I don't see any services running on the referenced high-ports, but it could be related to an on-demand service such as acme.sh's standalone method, etc. The Asuswrt-Merlin Web UI listens on 127.0.01:80 and 192.168.0.1:80.

# netstat -anp|grep :80                                                      
tcp        0      0 xxx.xxx.xxx.xxx:80         0.0.0.0:* 
           LISTEN      8130/nginx: master             
tcp        0      0 192.168.0.3:80          0.0.0.0:* 
           LISTEN      8130/nginx: master             
tcp        0      0 192.168.0.2:80          0.0.0.0:* 
           LISTEN      8130/nginx: master             
tcp        0      0 127.0.0.1:80            0.0.0.0:* 
           LISTEN      24007/httpd                    
tcp        0      0 192.168.0.1:80          0.0.0.0:* 
           LISTEN      24007/httpd                    
tcp        0      0 0.0.0.0:8082            0.0.0.0:* 
           LISTEN      24197/lighttpd

Any clue as to the purpose of these Port 80 DNAT's and their importance is greatly appreciated.

Respectfully,


Gary

 

[eibgrad]

Try using the following command to see what process/service is listening on those ports.

netstat -tulpn | egrep ':62299|:46326'

UPDATE: Ok, I see you've now done that. Those are pretty obscure ports, so I agree it's probably coming from some on-demand service. But I don't recognize them specifically. It's definitely not found in my own firewall script.

 

[eibgrad]

BTW, does it have to be port 80? Many ISPs don't allow port 80/443 w/ consumer accounts. And even if they do, port 80/443 will typically get hammered by hackers/bots looking for vulnerabilities. It's why we don't ever recommend exposing the GUI to the internet. Or any other well-known ports (22, 1194, etc.). Just too risky.

 

[ColinTaylor]

Try using the following command to see what process/service is listening on those ports.

netstat -tulpn | egrep ':62299|:46326'

UPDATE: Ok, I see you've now done that. Those are pretty obscure ports, so I agree it's probably coming from some on-demand service. But I don't recognize them specifically. It's definitely not found in my own firewall script.

It's a bit confusing because of the re-edited post. But as of this moment in time he appears not to have issued the correct netstat statement. His netstat is grepping port 80 whereas, as you say, it should be ports 46326 and 62299.

 

[Nodens]

Pretty sure that's for letsencrypt certificate issuing renewal as it works exactly like that.. it uses nginx on port 80 to do the verification cause that's how letsencrypt works with the web authentication option.
I know it for sure because I've tested it to see the implementation as I'm not interested in opening the router to the public and I want to script dns authentication instead.

PS I'm also debating having one of my servers acquire the certificate via DNS method and just upload it to the router with a certbot posthook script. That's probably lighter.

 

[garycnew]

It's definitely not found in my own firewall script.

@eibgrad

Port 80 DNAT not found on your Asuswrt-Merlin Firewall is a good baseline. I had searched for those high-ports in my original post, but didn't provide the output (just stated the the result).

Thank you for the reply.

Respectfully,


Gary

 

[garycnew]

BTW, does it have to be port 80? Many ISPs don't allow port 80/443 w/ consumer accounts. And even if they do, port 80/443 will typically get hammered by hackers/bots looking for vulnerabilities. It's why we don't ever recommend exposing the GUI to the internet. Or any other well-known ports (22, 1194, etc.). Just too risky.

@eibgrad

Risky or not... If I want to use my router as a Nginx loadbalancer, I'll simply have to make sure nginx is up to date.

Thanks, again.

Respectfully,


Gary

 

[garycnew]

It's a bit confusing because of the re-edited post. But as of this moment in time he appears not to have issued the correct netstat statement. His netstat is grepping port 80 whereas, as you say, it should be ports 46326 and 62299.

@ColinTaylor

Please refer to my reply to @eibgrad

As always, I appreciate your reply.

Respectfully,


Gary

P.S. Thanks, again, for your assistance troubleshooting nginx Tor loadbalancing. It seems to be working well, but it's taking months to burn in and validate. I'll put together a tutorial, once validation is complete. On the upside, I've leaned a ton about Tor in the process.

 

[garycnew]

Pretty sure that's for letsencrypt certificate issuing renewal as it works exactly like that.. it uses nginx on port 80 to do the verification cause that's how letsencrypt works with the web authentication option.
I know it for sure because I've tested it to see the implementation as I'm not interested in opening the router to the public and I want to script dns authentication instead.

PS I'm also debating having one of my servers acquire the certificate via DNS method and just upload it to the router with a certbot posthook script. That's probably lighter.

@Nodens

I agree... My gut tells me it's related to the Asuswrt-Merlin acme.sh standalone implementation, which I've been developing an asus-wrapper-acme.sh script to manipulate to use the --dns method.

Perhaps, the Asuswrt-Merlin acme.sh process didn't remove the --standalone method Port 80 DNAT'S from it being terminated mid-process and not cleaning up.

I've removed the Port 80 DNAT's and have successfully PERMITed nginx port 80 access. I'll watch to see if I run into any issues, but we're live in Port 80, now.

Thank you for your reply.

Respectfully,


Gary

 

[ColinTaylor]

@ColinTaylor

Please refer to my reply too @eibgrad

Sorry, I don't understand this reference.

In your OP you found DNAT rules that appear to be directed at ports 62299 and 46326 (although both can't be true at the same time). So to see if there is in fact something listening on either of those ports you need to netstat/grep those ports. My confusion comes because although you said "I don't see any services running on the referenced high-ports" the netstat output you show is for port 80 and not ports 62299 and 46326.

I've never seen the router put ports like that in the VSERVER chain. So my guess is that it must come from a user script of some sort.

 

[garycnew]

@eibgrad

Port 80 DNAT not found on your Asuswrt-Merlin Firewall is a good baseline. I had searched for those high-ports in my original post, but didn't provide the output (just stated the the result).

Thank you for the reply.

Respectfully,


Gary

@ColinTaylor

The above response to @eibgrad was what I was referencing you to. Please see my other responses in this post, as well.

I have to agree with your assessment.

Respectfully,


Gary

 

[ColinTaylor]

Thanks for the clarification. It looks like it probably does come from the letsencrypt prebuilt blob:

# strings /usr/lib/libletsencrypt.so | grep VSERVER
iptables -t nat -I VSERVER -p tcp --dport %d -j DNAT --to-destination %s:%u

 

[garycnew]

Thanks for the clarification. It looks like it probably does come from the letsencrypt prebuilt blob:

# strings /usr/lib/libletsencrypt.so | grep VSERVER
iptables -t nat -I VSERVER -p tcp --dport %d -j DNAT --to-destination %s:%u

@ColinTaylor

Wow... It's actually in the libletsencrypt.so. I hope you didn't spend too much time hunting down that strings output. I was thinking it would more likely be in the Asuswrt-Merlin kernel as that's how the related acme.sh output is referenced in the System Logs.

Now, I can rest at ease knowing that by removing the Port 80 DNAT rules I won't break anything.

Thanks, again, for your second-set-of-eyes.

With Much Respect,


Gary